<?xml version="1.0" encoding='utf-8'?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<?rfc autobreaks="yes"?>
<?rfc tocindent="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc ipr="trust200902" docName="draft-petithuguenin-tram-stun-dtls-00" category="std" obsoletes="" updates="" submissionType="IETF" xml:lang="en">
  <front>
    <title abbrev="TURN over DTLS">Datagram Transport Layer Security (DTLS) as Transport for Session Traversal Utilities for NAT (STUN)</title>
    <author initials="M." surname="Petit-Huguenin" fullname="Marc Petit-Huguenin">
      <organization>Jive Communications</organization>
      <address>
        <postal>
          <street>1275 West 1600 North, Suite 100</street>
          <city>Orem</city>
          <region>UT</region>
          <code>84057</code>
          <country>USA</country>
        </postal>
        <email>marcph@getjive.com</email>
      </address>
    </author>
    <author initials="G." surname="Salgueiro" fullname="Gonzalo Salgueiro">
      <organization>Cisco Systems</organization>
      <address>
        <postal>
          <street>7200-12 Kit Creek Road</street>
          <city>Research Triangle Park</city>
          <region>NC</region>
          <code>27709</code>
          <country>US</country>
        </postal>
        <email>gsalguei@cisco.com</email>
      </address>
    </author>
    <date day="11" month="February" year="2014"/>
    <area>TSV</area>
    <workgroup>TRAM</workgroup>
    <abstract>
      <t>This document specifies the usage of Datagram Transport Layer Security (DTLS) as a transport protocol for Session Traversal Utilities for NAT (STUN).  It provides guidances on when and how to use DTLS with the currently standardized STUN Usages.  It also specifies modifications to the STUN URIs and TURN URIs and to the TURN resolution mechanism to facilitate the resolution of STUN URIs and TURN URIs into the IP address and port of STUN and TURN servers supporting DTLS as a transport protocol.  </t>
    </abstract>
  </front>
  <middle>
    <section anchor="section.intro" title="Introduction" toc="default">
      <t><xref target="RFC5389" pageno="false" format="default">STUN</xref> defines Transport Layer Security (TLS) over TCP (simply referred to as <xref target="RFC5246" pageno="false" format="default">TLS</xref>) as the transport for STUN due to additional security advantages it offers over plain UDP or TCP transport.  But TLS-over-TCP is not an optimal transport when STUN is used for its originally intended purpose, which is to support multimedia sessions.  This sub-optimality primarily stems from the added latency incurred by the TCP-based head-of-line (HOL) blocking problem coupled with additional TLS buffering (for integrity checks).  This is a well documented and understood transport limitation for secure real-time communications.  </t>
      <t>TLS-over-UDP (referred to as <xref target="RFC6347" pageno="false" format="default">DTLS</xref>) offers the same security advantages as TLS-over-TCP, but without the undesirable latency concerns.  </t>
    </section>
    <section anchor="section.terminology" title="Terminology" toc="default">
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in <xref target="RFC2119" pageno="false" format="default"/> when they appear in ALL CAPS.  When these words are not in ALL CAPS (such as "must" or "Must"), they have their usual English meanings, and are not to be interpreted as RFC 2119 key words.  </t>
    </section>
    <section anchor="section.transport" title="DTLS as Transport for STUN" toc="default">
      <t><xref target="RFC5389" pageno="false" format="default">STUN</xref> defines three transports: UDP, TCP, and TLS.  This document adds DTLS as a valid transport for STUN.  </t>
      <t>STUN over DTLS MUST use the same retransmission rules as STUN over UDP (as described in Section 7.2.1 of <xref target="RFC5389" pageno="false" format="default"/>).  It MUST also use the same rules that are described in Section 7.2.2 of <xref target="RFC5389" pageno="false" format="default"/> to verify the server identity.  STUN over DTLS MUST, at a minimum, support TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 [[TODO: What is the recommendation these days?]].  The same rules established in Section 7.2.2 of <xref target="RFC5389" pageno="false" format="default"/> for keeping open and closing TCP/TLS connections MUST be used as well for DTLS associations.  </t>
      <t>In addition to the path MTU rules described in Section 7.1 of <xref target="RFC5389" pageno="false" format="default"/>, if the path MTU is unknown, the actual STUN message needs to be adjusted to take into account the size of the (13-byte) DTLS Record header, the MAC size, the padding size and the eventual compression applied to the payload.  </t>
      <t>By default, STUN over DTLS MUST use port 5349, the same port as STUN over TLS.  However, the SRV procedures can be implemented to use a different port (as described in Section 9 of <xref target="RFC5389" pageno="false" format="default"/>).  When using SRV records, the service name MUST be set to "stuns" and the application name to "udp".  </t>
      <t><xref target="RFC3489" pageno="false" format="default">Classic STUN</xref> defines only UDP as a transport and DTLS MUST NOT be used.  Any STUN request or indication without the magic cookie over DTLS MUST always result in an error.  [[TODO: Note that it is a departure from RFC 5389, which does not explicitly state what to do in that case. Are we OK with this?]] </t>
    </section>
    <section anchor="section.usages" title="STUN Usages" toc="default">
      <t><xref target="RFC5389" pageno="false" format="default"/> Section 7.2 states that STUN usages must specify which transport protocol is used.  The following sections discuss if and how the existing STUN usages are used with DTLS as the transport.  Future STUN usages MUST take into account DTLS as a transport and discuss its applicability.  [[TODO: Note that Section 14 of RFC 5389 ommitted to say that transport applicability MUST be discussed. Is this a reasonable addition?]].  </t>
      <section anchor="section.usages.nat-discovery" title="NAT Discovery Usage" toc="default">
        <t>As stated by Section 13 of <xref target="RFC5389" pageno="false" format="default"/>, "...TLS provides minimal security benefits..." for this particular STUN usage.  DTLS will also similarly offer only limited benefit.  This is because the only mandatory attribute that is TLS/DTLS protected is the XOR-MAPPED-ADDRESS, which is already known by an on-path attacker, since it is the same as the source address and port of the STUN request.  On the other hand, using TLS/DTLS will prevent an active attacker to inject XOR-MAPPED-ADDRESS in responses.  The TLS/DTLS transport will also protect the SOFTWARE attribute, which can be used to find vulnerabilities in STUN implementations.  </t>
        <t>Regardless, this usage is rarely used by itself, since <xref target="RFC5766" pageno="false" format="default">TURN</xref> is generally mandatory to use with <xref target="RFC5245" pageno="false" format="default">ICE</xref>, and TURN provides the same NAT Discovery feature as part of an Allocation creation.  In fact, with ICE, the NAT Discovery usage is only used when there is no longer any resource available for new Allocations in the TURN server.  </t>
        <section anchor="section.usages.nat-discovery.uris" title="DTLS Support in STUN URIs" toc="default">
          <t>This document does not make any changes to the syntax of a <xref target="RFC7064" pageno="false" format="default">STUN URI</xref>.  As indicated in Section 3.2 of <xref target="RFC7064" pageno="false" format="default"/>, secure transports like STUN over TLS, and now STUN over DTLS, MUST use the "stuns" URI scheme.  </t>
          <t>The &lt;host&gt; value MUST be used when using the rules in Section 7.2.2 of <xref target="RFC5389" pageno="false" format="default"/> to verify the server identity.  [[TODO: What happens if an IP address is used in the URI?  Should we forbid that?]] </t>
        </section>
      </section>
      <section anchor="section.usages.rfc5245.7" title="Connectivity Check Usage" toc="default">
        <t>Using DTLS would hide the USERNAME, PRIORITY, USE-CANDIDATE, ICE-CONTROLLED and ICE-CONTROLLING attributes.  But because MESSAGE-INTEGRITY protects the entire STUN response using a password that is known only by looking at the SDP exchanged, it is not possible for an attacker to inject an incorrect XOR-MAPPED-ADDRESS, which would subsequently be used as a peer reflexive candidate.  </t>
        <t>Adding DTLS on top of the connectivity check would delay, and consequently impair, the ICE process.  There is, in fact, a proposal (<xref target="I-D.thomson-rtcweb-ice-dtls" pageno="false" format="default"/>) to use the DTLS handshake used by the WebRTC SRTP streams as a replacement for the connectivity checks, proving that adding additional round-trips to ICE is undesirable.  </t>
        <t>This usage MUST NOT be used with a STUN URI.</t>
      </section>
      <section anchor="section.usages.rfc5245.20" title="Media Keep-Alive Usage" toc="default">
        <t>The media keep-alive (described in Section 20 of <xref target="RFC5245" pageno="false" format="default"/>) runs inside an RTP or RTCP session, so it is already protected if the RTP or RTCP session is also protected (i.e., SRTP/SRTCP).  Adding DTLS inside the SRTP/SRTCP session would add overhead, with minimal security benefit.  </t>
        <t>This usage MUST NOT be used with a STUN URI.</t>
      </section>
      <section anchor="section.usages.rfc5626" title="SIP Keep-Alive Usage" toc="default">
        <t>The SIP keep-alive (described in <xref target="RFC5626" pageno="false" format="default"/>) runs inside a SIP flow.  This flow would be protected if a SIP over DTLS transport mechanism is implemented (such as described in <xref target="I-D.jennings-sip-dtls" pageno="false" format="default"/>).  </t>
        <t>This usage MUST NOT be used with a STUN URI.</t>
      </section>
      <section anchor="section.usages.rfc5780" title="NAT Behavior Discovery Usage" toc="default">
        <t>The NAT Behavior Discovery usage is Experimental and to date has never being effectively deployed.  Despite this, using DTLS would add the same security properties as for the <xref target="section.usages.nat-discovery" pageno="false" format="default">NAT Discovery Usage</xref>.  </t>
        <t>The STUN URI can be used to access the NAT Discovery feature of a NAT Behavior Discovery server, but accessing the full features would require definition of a "stun-behaviors:" URI, which is out of scope for this document.</t>
      </section>
      <section anchor="section.usages.rfc5766" title="TURN Usage" toc="default">
        <t><xref target="RFC5766" pageno="false" format="default">TURN</xref> defines three combinations of transports/allocations: UDP/UDP, TCP/UDP and TLS/UDP.  This document adds DTLS/UDP as a valid combination.  A TURN server using DTLS MUST implement the denial-of-service counter-measure described in Section 4.2.1 of <xref target="RFC6347" pageno="false" format="default"/>.  </t>
        <t><xref target="RFC6062" pageno="false" format="default"/> states that TCP allocations cannot be obtained using a UDP association between client and server.  The fact that DTLS uses UDP implies that TCP allocations MUST NOT be obtained using a DTLS association between client and server.  </t>
        <t>By default, TURN over DTLS uses port 5349, the same port as TURN over TLS.  However, the SRV procedures can be implemented to use a different port (as described in Section 6 of <xref target="RFC5766" pageno="false" format="default"/>.  When using SRV records, the service name MUST be set to "turns" and the application name to "udp".  </t>
        <section anchor="section.uris" title="DTLS Support in TURN URIs" toc="default">
          <t>This document does not make any changes to the syntax of a <xref target="RFC7065" pageno="false" format="default">TURN URI</xref>.  As indicated in Section 3 of <xref target="RFC7065" pageno="false" format="default"/>, secure transports like TURN over TLS, and now TURN over DTLS, MUST use the "turns" URI scheme.  When using the "turns" URI scheme to designate TURN over DTLS, the transport value of the TURN URI, if set, MUST be "udp".  </t>
        </section>
        <section anchor="section.resolution" title="Resolution Mechanism for TURN over DTLS" toc="default">
          <t>This document defines a new Straightforward Naming Authority Pointer (S-NAPTR) application protocol tag: "turn.dtls".</t>
          <t>The &lt;transport&gt; component, as provisioned or resulting from the parsing of a TURN URI, is passed without modification to the TURN resolution mechanism defined in Section 3 of <xref target="RFC5928" pageno="false" format="default"/>, but with the following alterations to that algorithm:</t>
          <t><list style="symbols"><t>The acceptable values for transport name are extended with the addition of "dtls".</t><t>The acceptable values in the ordered list of supported TURN transports is extended with the addition of "Datagram Transport Layer Security (DTLS)".</t><t>The resolution algorithm ckeck rules list is extended with the addition of the following step: <list style="empty"><t>If &lt;secure&gt; is true and &lt;transport&gt; is defined as "udp" but the list of TURN transports supported by the application does not contain DTLS, then the resolution MUST stop with an error.</t></list> </t><t>The 5th rule of the resolution algorithm check rules list is modified to read like this: <list style="none"><t>If &lt;secure&gt; is true and &lt;transport&gt; is not defined but the list of TURN transports supported by the application does not contain TLS or DTLS, then the resolution MUST stop with an error.</t></list> </t><t>Table 1 is modified to add the following line:</t></list> </t>
          <texttable title="" suppress-title="false" align="center" style="full">
            <ttcol align="left">&lt;secure&gt;</ttcol>
            <ttcol align="left">&lt;transport&gt;</ttcol>
            <ttcol align="left">TURN Transport</ttcol>
            <c>true</c>
            <c>"udp"</c>
            <c>DTLS</c>
          </texttable>
          <t><list style="symbols"><t>In step 1 of the resolution algorithm the default port for DTLS is 5349.</t><t>In step 4 of the resolution algorithm the following is added to the list of conversions between the filtered list of TURN transports supported by the application and application protocol tags: <list style="empty"><t>"turn.dtls" is used if the TURN transport is DTLS.</t></list> </t></list> </t>
          <t>Note that using the <xref target="RFC5928" pageno="false" format="default"/> resolution mechanism does not imply that additional round trips to the DNS server will be needed (e.g., the TURN client will start immediately if the TURN URI contains an IP address).</t>
        </section>
      </section>
    </section>
    <section anchor="section.ref-impl" title="Implementation Status" toc="default">
      <t>[[Note to RFC Editor: Please remove this section and the reference to <xref target="RFC6982" pageno="false" format="default"/> before publication.]]</t>
      <t>This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in <xref target="RFC6982" pageno="false" format="default"/>.  The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs.  Please note that the listing of any individual implementation here does not imply endorsement by the IETF.  Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors.  This is not intended as, and must not be construed to be, a catalog of available implementations or their features.  Readers are advised to note that other implementations may exist.  </t>
      <t>According to <xref target="RFC6982" pageno="false" format="default"/>, "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature.  It is up to the individual working groups to use this information as they see fit".  </t>
      <section anchor="section.impl-status.turnuri" title="turnuri" toc="default">
        <t><list style="hanging"><t hangText="Organization: ">Impedance Mismatch</t><t hangText="Name: ">turnuri 0.5.0 http://debian.implementers.org/stable/source/turnuri.tar.gz </t><t hangText="Description: ">A reference implementation of the URI and resolution mechanism defined in this document, <xref target="RFC7065" pageno="false" format="default">RFC 7065</xref> and <xref target="RFC5928" pageno="false" format="default">RFC 5928</xref>.</t><t hangText="Level of maturity: ">Beta.</t><t hangText="Coverage: ">Fully implements the URIs and resolution mechanism defined in this specification, in RFC 7065 and in RFC 5928.</t><t hangText="Licensing: ">AGPL3</t><t hangText="Implementation experience: ">TBD</t><t hangText="Contact: ">Marc Petit-Huguenin &lt;marc@petit-huguenin.org&gt;.</t></list> </t>
      </section>
      <section anchor="section.impl-status.rfc5766-turn-server" title="rfc5766-turn-server" toc="default">
        <t><list style="hanging"><t hangText="Organization: ">This is a public project, the full list of authors and contributors here: http://turnserver.open-sys.org/downloads/AUTHORS.</t><t hangText="Name: ">http://code.google.com/p/rfc5766-turn-server/</t><t hangText="Description: ">A mature open-source TURN server specs implementation (RFC 5766, RFC 6062, RFC 6156, etc) designed for high-performance applications, especially geared for WebRTC.</t><t hangText="Level of maturity: ">Production level.</t><t hangText="Coverage: ">Fully implements DTLS with TURN protocol.</t><t hangText="Licensing: ">BSD: http://turnserver.open-sys.org/downloads/LICENSE </t><t hangText="Implementation experience: ">DTLS is recommended for secure media applications.  It has benefits of both UDP and TLS.  </t><t hangText="Contact: ">Oleg Moskalenko &lt;mom040267@gmail.com&gt;</t></list> </t>
      </section>
    </section>
    <section anchor="section.security" title="Security Considerations" toc="default">
      <t>STUN over DTLS as a STUN transport does not introduce any specific security considerations beyond those for STUN over TLS detailed in <xref target="RFC5389" pageno="false" format="default"/>.</t>
      <t>The usage of "udp" as a transport parameter with the "stuns" URI scheme does not introduce any specific security issues beyond those discussed in <xref target="RFC7064" pageno="false" format="default"/>.</t>
      <t>TURN over DTLS as a TURN transport does not introduce any specific security considerations beyond those for TURN over TLS detailed in <xref target="RFC5766" pageno="false" format="default"/>.</t>
      <t>The usage of "udp" as a transport parameter with the "turns" URI scheme does not introduce any specific security issues beyond those discussed in <xref target="RFC7065" pageno="false" format="default"/>.</t>
      <t>The new S-NAPTR application protocol tag defined in this document as well as the modifications this document makes to the TURN resolution mechanism described in <xref target="RFC5928" pageno="false" format="default"/> do not introduce any additional security considerations beyond those outlined in <xref target="RFC5928" pageno="false" format="default"/>.</t>
    </section>
    <section anchor="section.iana" title="IANA Considerations" toc="default">
      <section anchor="section.iana.tag" title="S-NAPTR application protocol tag" toc="default">
        <t>This specification contains the registration information for one S-NAPTR application protocol tag (in accordance with <xref target="RFC3958" pageno="false" format="default"/>).</t>
        <t><list style="hanging"><t hangText="Application Protocol Tag: ">turn.dtls</t><t hangText="Intended Usage: ">See <xref target="section.resolution" pageno="false" format="default"/></t><t hangText="Interoperability considerations: ">N/A</t><t hangText="Security considerations: ">See <xref target="section.security" pageno="false" format="default"/></t><t hangText="Relevant publications: ">This document</t><t hangText="Contact information: ">Marc Petit-Huguenin</t><t hangText="Author/Change controller: ">The IESG</t></list> </t>
      </section>
      <section anchor="section.iana.port-number" title="Service Name and Transport Protocol Port Number" toc="default">
        <t>This specification contains the registration information for two Service Name and Transport Protocol Port Numbers (in accordance with <xref target="RFC6335" pageno="false" format="default"/>).</t>
        <section anchor="section.iana.port-number.stuns" title="The stuns Service Name" toc="default">
          <t><list style="hanging"><t hangText="Service Name: ">stuns</t><t hangText="Transport Protocol(s): ">UDP</t><t hangText="Assignee: ">IESG</t><t hangText="Contact: ">Marc Petit-Huguenin</t><t hangText="Description: ">STUN over DTLS</t><t hangText="Reference: ">This document</t><t hangText="Port Number: ">5349</t></list> </t>
        </section>
        <section anchor="section.iana.port-number.turns" title="The turns Service Name" toc="default">
          <t><list style="hanging"><t hangText="Service Name: ">turns</t><t hangText="Transport Protocol(s): ">UDP</t><t hangText="Assignee: ">IESG</t><t hangText="Contact: ">Marc Petit-Huguenin</t><t hangText="Description: ">TURN over DTLS</t><t hangText="Reference: ">This document</t><t hangText="Port Number: ">5349</t></list> </t>
        </section>
      </section>
    </section>
    <section anchor="section.acknowledgements" title="Acknowledgements" toc="default">
      <t>Thanks to Alan Johnston, Oleg Moskalenko, and Simon Perreault for the comments, suggestions, and questions that helped improve this document.</t>
    </section>
  </middle>
  <back>
    <references title="Normative References">
      <reference anchor="RFC2119">
        <front>
          <title abbrev="RFC Key Words">Key words for use in RFCs to Indicate Requirement Levels</title>
          <author initials="S." surname="Bradner" fullname="Scott Bradner">
            <organization>Harvard University</organization>
            <address>
              <postal>
                <street>1350 Mass. Ave.</street>
                <street>Cambridge</street>
                <street>MA 02138</street>
              </postal>
              <phone>- +1 617 495 3864</phone>
              <email>sob@harvard.edu</email>
            </address>
          </author>
          <date year="1997" month="March"/>
          <area>General</area>
          <keyword>keyword</keyword>
          <abstract>
            <t>In many standards track documents several words are used to signify the requirements in the specification.  These words are often capitalized.  This document defines these words as they should be interpreted in IETF documents.  Authors who follow these guidelines should incorporate this phrase near the beginning of their document: <list><t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.  </t></list></t>
            <t>Note that the force of these words is modified by the requirement level of the document in which they are used.  </t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="2119"/>
        <format type="TXT" octets="4723" target="http://www.rfc-editor.org/rfc/rfc2119.txt"/>
        <format type="HTML" octets="17970" target="http://xml.resource.org/public/rfc/html/rfc2119.html"/>
        <format type="XML" octets="5777" target="http://xml.resource.org/public/rfc/xml/rfc2119.xml"/>
      </reference>
      <reference anchor="RFC3489">
        <front>
          <title>STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs)</title>
          <author initials="J." surname="Rosenberg" fullname="J. Rosenberg">
            <organization/>
          </author>
          <author initials="J." surname="Weinberger" fullname="J. Weinberger">
            <organization/>
          </author>
          <author initials="C." surname="Huitema" fullname="C. Huitema">
            <organization/>
          </author>
          <author initials="R." surname="Mahy" fullname="R. Mahy">
            <organization/>
          </author>
          <date year="2003" month="March"/>
          <abstract>
            <t>Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs) (STUN) is a lightweight protocol that allows applications to discover the presence and types of NATs and firewalls between them and the public Internet.  It also provides the ability for applications to determine the public Internet Protocol (IP) addresses allocated to them by the NAT.  STUN works with many existing NATs, and does not require any special behavior from them.  As a result, it allows a wide variety of applications to work through existing NAT infrastructure. [STANDARDS-TRACK]</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="3489"/>
        <format type="TXT" octets="117562" target="http://www.rfc-editor.org/rfc/rfc3489.txt"/>
      </reference>
      <reference anchor="RFC3958">
        <front>
          <title>Domain-Based Application Service Location Using SRV RRs and the Dynamic Delegation Discovery Service (DDDS)</title>
          <author initials="L." surname="Daigle" fullname="L. Daigle">
            <organization/>
          </author>
          <author initials="A." surname="Newton" fullname="A. Newton">
            <organization/>
          </author>
          <date year="2005" month="January"/>
          <abstract>
            <t>This memo defines a generalized mechanism for application service naming that allows service location without relying on rigid domain naming conventions (so-called name hacks).  The proposal defines a Dynamic Delegation Discovery System (DDDS) Application to map domain name, application service name, and application protocol dynamically to target server and port. [STANDARDS-TRACK]</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="3958"/>
        <format type="TXT" octets="54568" target="http://www.rfc-editor.org/rfc/rfc3958.txt"/>
      </reference>
      <reference anchor="RFC5245">
        <front>
          <title>Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal for Offer/Answer Protocols</title>
          <author initials="J." surname="Rosenberg" fullname="J. Rosenberg">
            <organization/>
          </author>
          <date year="2010" month="April"/>
          <abstract>
            <t>This document describes a protocol for Network Address Translator (NAT) traversal for UDP-based multimedia sessions established with the offer/answer model.  This protocol is called Interactive Connectivity Establishment (ICE).  ICE makes use of the Session Traversal Utilities for NAT (STUN) protocol and its extension, Traversal Using Relay NAT (TURN).  ICE can be used by any protocol utilizing the offer/answer model, such as the Session Initiation Protocol (SIP). [STANDARDS-TRACK]</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="5245"/>
        <format type="TXT" octets="285120" target="http://www.rfc-editor.org/rfc/rfc5245.txt"/>
      </reference>
      <reference anchor="RFC5246">
        <front>
          <title>The Transport Layer Security (TLS) Protocol Version 1.2</title>
          <author initials="T." surname="Dierks" fullname="T. Dierks">
            <organization/>
          </author>
          <author initials="E." surname="Rescorla" fullname="E. Rescorla">
            <organization/>
          </author>
          <date year="2008" month="August"/>
          <abstract>
            <t>This document specifies Version 1.2 of the Transport Layer Security (TLS) protocol.  The TLS protocol provides communications security over the Internet.  The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. [STANDARDS-TRACK]</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="5246"/>
        <format type="TXT" octets="222395" target="http://www.rfc-editor.org/rfc/rfc5246.txt"/>
      </reference>
      <reference anchor="RFC5389">
        <front>
          <title>Session Traversal Utilities for NAT (STUN)</title>
          <author initials="J." surname="Rosenberg" fullname="J. Rosenberg">
            <organization/>
          </author>
          <author initials="R." surname="Mahy" fullname="R. Mahy">
            <organization/>
          </author>
          <author initials="P." surname="Matthews" fullname="P. Matthews">
            <organization/>
          </author>
          <author initials="D." surname="Wing" fullname="D. Wing">
            <organization/>
          </author>
          <date year="2008" month="October"/>
          <abstract>
            <t>Session Traversal Utilities for NAT (STUN) is a protocol that serves as a tool for other protocols in dealing with Network Address Translator (NAT) traversal. It can be used by an endpoint to determine the IP address and port allocated to it by a NAT. It can also be used to check connectivity between two endpoints, and as a keep-alive protocol to maintain NAT bindings. STUN works with many existing NATs, and does not require any special behavior from them.&lt;/t&gt;&lt;t&gt; STUN is not a NAT traversal solution by itself. Rather, it is a tool to be used in the context of a NAT traversal solution. This is an important change from the previous version of this specification (RFC 3489), which presented STUN as a complete solution.&lt;/t&gt;&lt;t&gt; This document obsoletes RFC 3489. [STANDARDS-TRACK]</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="5389"/>
        <format type="TXT" octets="125650" target="http://www.rfc-editor.org/rfc/rfc5389.txt"/>
      </reference>
      <reference anchor="RFC5626">
        <front>
          <title>Managing Client-Initiated Connections in the Session Initiation Protocol (SIP)</title>
          <author initials="C." surname="Jennings" fullname="C. Jennings">
            <organization/>
          </author>
          <author initials="R." surname="Mahy" fullname="R. Mahy">
            <organization/>
          </author>
          <author initials="F." surname="Audet" fullname="F. Audet">
            <organization/>
          </author>
          <date year="2009" month="October"/>
          <abstract>
            <t>The Session Initiation Protocol (SIP) allows proxy servers to initiate TCP connections or to send asynchronous UDP datagrams to User Agents in order to deliver requests.  However, in a large number of real deployments, many practical considerations, such as the existence of firewalls and Network Address Translators (NATs) or the use of TLS with server-provided certificates, prevent servers from connecting to User Agents in this way.  This specification defines behaviors for User Agents, registrars, and proxy servers that allow requests to be delivered on existing connections established by the User Agent.  It also defines keep-alive behaviors needed to keep NAT bindings open and specifies the usage of multiple connections from the User Agent to its registrar. [STANDARDS-TRACK]</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="5626"/>
        <format type="TXT" octets="116344" target="http://www.rfc-editor.org/rfc/rfc5626.txt"/>
      </reference>
      <reference anchor="RFC5766">
        <front>
          <title>Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN)</title>
          <author initials="R." surname="Mahy" fullname="R. Mahy">
            <organization/>
          </author>
          <author initials="P." surname="Matthews" fullname="P. Matthews">
            <organization/>
          </author>
          <author initials="J." surname="Rosenberg" fullname="J. Rosenberg">
            <organization/>
          </author>
          <date year="2010" month="April"/>
          <abstract>
            <t>If a host is located behind a NAT, then in certain situations it can be impossible for that host to communicate directly with other hosts (peers).  In these situations, it is necessary for the host to use the services of an intermediate node that acts as a communication relay.  This specification defines a protocol, called TURN (Traversal Using Relays around NAT), that allows the host to control the operation of the relay and to exchange packets with its peers using the relay.  TURN differs from some other relay control protocols in that it allows a client to communicate with multiple peers using a single relay address. [STANDARDS-TRACK]</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="5766"/>
        <format type="TXT" octets="172112" target="http://www.rfc-editor.org/rfc/rfc5766.txt"/>
      </reference>
      <reference anchor="RFC5928">
        <front>
          <title>Traversal Using Relays around NAT (TURN) Resolution Mechanism</title>
          <author initials="M." surname="Petit-Huguenin" fullname="M. Petit-Huguenin">
            <organization/>
          </author>
          <date year="2010" month="August"/>
          <abstract>
            <t>This document defines a resolution mechanism to generate a list of server transport addresses that can be tried to create a Traversal Using Relays around NAT (TURN) allocation. [STANDARDS-TRACK]</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="5928"/>
        <format type="TXT" octets="23993" target="http://www.rfc-editor.org/rfc/rfc5928.txt"/>
      </reference>
      <reference anchor="RFC6062">
        <front>
          <title>Traversal Using Relays around NAT (TURN) Extensions for TCP Allocations</title>
          <author initials="S." surname="Perreault" fullname="S. Perreault">
            <organization/>
          </author>
          <author initials="J." surname="Rosenberg" fullname="J. Rosenberg">
            <organization/>
          </author>
          <date year="2010" month="November"/>
          <abstract>
            <t>This specification defines an extension of Traversal Using Relays around NAT (TURN), a relay protocol for Network Address Translator (NAT) traversal.  This extension allows a TURN client to request TCP allocations, and defines new requests and indications for the TURN server to open and accept TCP connections with the client\'s peers.  TURN and this extension both purposefully restrict the ways in which the relayed address can be used.  In particular, it prevents users from running general-purpose servers from ports obtained from the TURN server. [STANDARDS-TRACK]</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="6062"/>
        <format type="TXT" octets="28978" target="http://www.rfc-editor.org/rfc/rfc6062.txt"/>
      </reference>
      <reference anchor="RFC6335">
        <front>
          <title>Internet Assigned Numbers Authority (IANA) Procedures for the Management of the Service Name and Transport Protocol Port Number Registry</title>
          <author initials="M." surname="Cotton" fullname="M. Cotton">
            <organization/>
          </author>
          <author initials="L." surname="Eggert" fullname="L. Eggert">
            <organization/>
          </author>
          <author initials="J." surname="Touch" fullname="J. Touch">
            <organization/>
          </author>
          <author initials="M." surname="Westerlund" fullname="M. Westerlund">
            <organization/>
          </author>
          <author initials="S." surname="Cheshire" fullname="S. Cheshire">
            <organization/>
          </author>
          <date year="2011" month="August"/>
          <abstract>
            <t>This document defines the procedures that the Internet Assigned Numbers Authority (IANA) uses when handling assignment and other requests related to the Service Name and Transport Protocol Port Number registry. It also discusses the rationale and principles behind these procedures and how they facilitate the long-term sustainability of the registry.&lt;/t&gt;&lt;t&gt; This document updates IANA's procedures by obsoleting the previous UDP and TCP port assignment procedures defined in Sections 8 and 9.1 of the IANA Allocation Guidelines, and it updates the IANA service name and port assignment procedures for UDP-Lite, the Datagram Congestion Control Protocol (DCCP), and the Stream Control Transmission Protocol (SCTP). It also updates the DNS SRV specification to clarify what a service name is and how it is registered. This memo documents an Internet Best Current Practice.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="165"/>
        <seriesInfo name="RFC" value="6335"/>
        <format type="TXT" octets="79088" target="http://www.rfc-editor.org/rfc/rfc6335.txt"/>
      </reference>
      <reference anchor="RFC6347">
        <front>
          <title>Datagram Transport Layer Security Version 1.2</title>
          <author initials="E." surname="Rescorla" fullname="E. Rescorla">
            <organization/>
          </author>
          <author initials="N." surname="Modadugu" fullname="N. Modadugu">
            <organization/>
          </author>
          <date year="2012" month="January"/>
          <abstract>
            <t>This document specifies version 1.2 of the Datagram Transport Layer Security (DTLS) protocol.  The DTLS protocol provides communications privacy for datagram protocols.  The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.  The DTLS protocol is based on the Transport Layer Security (TLS) protocol and provides equivalent security guarantees.  Datagram semantics of the underlying transport are preserved by the DTLS protocol.  This document updates DTLS 1.0 to work with TLS version 1.2. [STANDARDS-TRACK]</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="6347"/>
        <format type="TXT" octets="73546" target="http://www.rfc-editor.org/rfc/rfc6347.txt"/>
      </reference>
      <reference anchor="RFC7064">
        <front>
          <title>URI Scheme for the Session Traversal Utilities for NAT (STUN) Protocol</title>
          <author initials="S." surname="Nandakumar" fullname="S. Nandakumar">
            <organization/>
          </author>
          <author initials="G." surname="Salgueiro" fullname="G. Salgueiro">
            <organization/>
          </author>
          <author initials="P." surname="Jones" fullname="P. Jones">
            <organization/>
          </author>
          <author initials="M." surname="Petit-Huguenin" fullname="M. Petit-Huguenin">
            <organization/>
          </author>
          <date year="2013" month="November"/>
          <abstract>
            <t>This document specifies the syntax and semantics of the Uniform Resource Identifier (URI) scheme for the Session Traversal Utilities for NAT (STUN) protocol.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="7064"/>
        <format type="TXT" octets="15045" target="http://www.rfc-editor.org/rfc/rfc7064.txt"/>
      </reference>
      <reference anchor="RFC7065">
        <front>
          <title>Traversal Using Relays around NAT (TURN) Uniform Resource Identifiers</title>
          <author initials="M." surname="Petit-Huguenin" fullname="M. Petit-Huguenin">
            <organization/>
          </author>
          <author initials="S." surname="Nandakumar" fullname="S. Nandakumar">
            <organization/>
          </author>
          <author initials="G." surname="Salgueiro" fullname="G. Salgueiro">
            <organization/>
          </author>
          <author initials="P." surname="Jones" fullname="P. Jones">
            <organization/>
          </author>
          <date year="2013" month="November"/>
          <abstract>
            <t>This document specifies the syntax of Uniform Resource Identifier (URI) schemes for the Traversal Using Relays around NAT (TURN) protocol.  It defines two URI schemes to provision the TURN Resolution Mechanism (RFC 5928).</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="7065"/>
        <format type="TXT" octets="16143" target="http://www.rfc-editor.org/rfc/rfc7065.txt"/>
      </reference>
    </references>
    <references title="Informative References">
      <reference anchor="RFC6982">
        <front>
          <title>Improving Awareness of Running Code: The Implementation Status Section</title>
          <author initials="Y." surname="Sheffer" fullname="Y. Sheffer">
            <organization/>
          </author>
          <author initials="A." surname="Farrel" fullname="A. Farrel">
            <organization/>
          </author>
          <date year="2013" month="July"/>
          <abstract>
            <t>This document describes a simple process that allows authors of Internet-Drafts to record the status of known implementations by including an Implementation Status section. This will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature.&lt;/t&gt;&lt;t&gt; The process in this document is offered as an experiment. Authors of Internet-Drafts are encouraged to consider using the process for their documents, and working groups are invited to think about applying the process to all of their protocol specifications. The authors of this document intend to collate experiences with this experiment and to report them to the community.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="6982"/>
        <format type="TXT" octets="19358" target="http://www.rfc-editor.org/rfc/rfc6982.txt"/>
      </reference>
      <reference anchor="I-D.thomson-rtcweb-ice-dtls">
        <front>
          <title>Using Datagram Transport Layer Security (DTLS) For Interactivity Connectivity Establishment (ICE) Connectivity Checking: ICE-DTLS</title>
          <author initials="M" surname="Thomson" fullname="Martin Thomson">
            <organization/>
          </author>
          <date month="March" day="27" year="2012"/>
          <abstract>
            <t>Interactivity Connectivity Establishment (ICE) connectivity checking using the Datagram Transport Layer Security (DTLS) handshake is described.  The DTLS handshake provides sufficient information to identify valid candidates and establish consent.</t>
          </abstract>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-thomson-rtcweb-ice-dtls-00"/>
        <format type="TXT" target="http://www.ietf.org/internet-drafts/draft-thomson-rtcweb-ice-dtls-00.txt"/>
      </reference>
      <reference anchor="I-D.jennings-sip-dtls">
        <front>
          <title>Using Interactive Connectivity Establishment (ICE) in Web Real-Time Communications (WebRTC)</title>
          <author fullname="Cullen Jennings" initials="C." surname="Jennings">
            <organization>Cisco Systems</organization>
            <address>
              <postal>
                <street>170 West Tasman Drive</street>
                <street>MS: SJC-21/2</street>
                <city>San Jose</city>
                <region>CA</region>
                <code>95134</code>
                <country>USA</country>
              </postal>
              <phone>+1 408 902-3341</phone>
              <email>fluffy@cisco.com</email>
            </address>
          </author>
          <author fullname="Nagendra Modadugu" initials="N." surname="Modadugu">
            <organization>Google, Inc.</organization>
            <address>
              <postal>
                <street>1600 Ampitheatre Parkway</street>
                <city>Muntain View</city>
                <region>CA</region>
                <code>94043</code>
                <country>USA</country>
              </postal>
              <email>ngm@google.com</email>
            </address>
          </author>
          <date day="10" month="October" year="2007"/>
          <abstract>
            <t>This specification defines how to use Datagram Transport Layer Security (DTLS) as a transport for Session Initiation Protocol (SIP).  DTLS is a protocol for providing Transport Layer Security (TLS) security over a datagram protocol.  This specification also specifies the IANA registrations for using SIP with Datagram Congestion Control Protocol (DCCP).  DTLS can be used with either UDP or the Datagram Congestion Control Protocol (DCCP).  To accommodate this, this specification also defines how to use SIP directly over DCCP.  </t>
          </abstract>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-jennings-sip-dtls-05"/>
        <format type="TXT" target="http://www.ietf.org/internet-drafts/draft-jennings-sip-dtls-05.txt"/>
      </reference>
    </references>
    <section anchor="appendix.examples" title="Examples" toc="default">
      <t><xref target="example.1" pageno="false" format="default"/> shows how the &lt;secure&gt;, &lt;port&gt; and &lt;transport&gt; components are populated for a TURN URI that uses DTLS as its transport.  For all these examples, the &lt;host&gt; component is populated with "example.net".  </t>
      <texttable anchor="example.1" title="" suppress-title="false" align="center" style="full">
        <ttcol align="left">URI</ttcol>
        <ttcol align="left">&lt;secure&gt;</ttcol>
        <ttcol align="left">&lt;port&gt;</ttcol>
        <ttcol align="left">&lt;transport&gt;</ttcol>
        <c>turns:example.net?transport=udp</c>
        <c>true</c>
        <c/>
        <c>DTLS</c>
      </texttable>
      <t>With the DNS RRs in <xref target="example.2" pageno="false" format="default"/> and an ordered TURN transport list of {DTLS, TLS, TCP, UDP}, the resolution algorithm will convert the TURN URI "turns:example.net" to the ordered list of IP address, port, and protocol tuples in <xref target="table.2" pageno="false" format="default"/>.</t>
      <figure anchor="example.2" title="" suppress-title="false" align="left" alt="" width="" height="">
        <artwork xml:space="preserve" name="" type="" align="left" alt="" width="" height="">example.net.
IN NAPTR 100 10 "" RELAY:turn.udp:turn.dtls "" datagram.example.net.
IN NAPTR 200 10 "" RELAY:turn.tcp:turn.tls "" stream.example.net.

datagram.example.net.
IN NAPTR 100 10 S RELAY:turn.udp "" _turn._udp.example.net.
IN NAPTR 100 10 S RELAY:turn.dtls "" _turns._udp.example.net.

stream.example.net.
IN NAPTR 100 10 S RELAY:turn.tcp "" _turn._tcp.example.net.
IN NAPTR 200 10 A RELAY:turn.tls "" a.example.net.

_turn._udp.example.net.
IN SRV   0 0 3478 a.example.net.

_turn._tcp.example.net.
IN SRV   0 0 5000 a.example.net.

_turns._udp.example.net.
IN SRV   0 0 5349 a.example.net.

a.example.net.
IN A     192.0.2.1
			   </artwork>
      </figure>
      <texttable anchor="table.2" title="" suppress-title="false" align="center" style="full">
        <ttcol align="left">Order</ttcol>
        <ttcol align="left">Protocol</ttcol>
        <ttcol align="left">IP address</ttcol>
        <ttcol align="left">Port</ttcol>
        <c>1</c>
        <c>DTLS</c>
        <c>192.0.2.1</c>
        <c>5349</c>
        <c>2</c>
        <c>TLS</c>
        <c>192.0.2.1</c>
        <c>5349</c>
      </texttable>
    </section>
    <section title="Release notes" toc="default">
      <t>This section must be removed before publication as an RFC.</t>
      <section title="Modifications between petithuguenin-tram-turn-dtls-00 and petithuguenin-tram-stun-dtls-00" toc="default">
        <t><list style="symbols"><t>Add RFC 6982 information for rfc5766-turn-server project.</t><t>Rename the draft as TURN is now just one of the usages.</t><t>Remove the references in the abstract to make idnits happy.</t><t>No longer updates other standard drafts.</t><t>Rewrite from a STUN over DTLS point of view.  The previous text becomes section 4.6.  </t><t>Add IANA request for stuns port.</t><t>Add acknowledgement section.</t></list> </t>
      </section>
    </section>
  </back>
</rfc>
